I have removed the root password from my machines using 'passwd -d root' so that it's only possible to authenticate as root using SSH keypairs or as a sudoer.
This causes the code in miniserv.pl to fail when trying to detect whether PAM is enabled. The pam_conv callback is never triggered when pam_authenticate() is called. This is the test that miniserv uses to check to see if PAM is working.
I needed to change line 104 of miniserv.pl from
if (ref($pamh = new Authen::PAM($config{'pam'}, "root",
to
if (ref($pamh = new Authen::PAM($config{'pam'}, "webmin",
(after adding a 'webmin' user with a password to my machine)
Perhaps the user that miniserv tests pam_authenticate for should be a config param in miniserv.conf?
Thanks, I didn't consider the case where root's password would be disabled.
In Webmin 1.500, you will be able to specify a different test user by editing /etc/webmin/miniserv.conf and adding the line :
pam_test_user=webmin
then running /etc/webmin/restart
Actually, this is also a problem in validate_unix_user()
If a user doesn't have a password, the pam_authenticate() returns PAM_SUCCESS() ... which means that the user can log in using any password they wish
Isn't that expected? If a user has no password set, you can SSH in without needing to enter any password..
In the original case, root's password was locked.
Log in to post a comment.